Saturday, May 19, 2018, 11:53:04 AM, Jacques Le Roux wrote: > Ah, not a big deal, but should we not restrict read (640) on > /opt/fmonlinetester/etc/freemarker-online.yml ? > > It contains the cert secret key...
Sure, go ahead. > Le 19/05/2018 à 11:08, Jacques Le Roux a écrit : >> Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, >> content: >> >> cerbot renew >> openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12 -inkey >> /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in >> /etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile >> /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass >> pass:"theKnownPassword" (not copied here) >> >> I think it should not change the rights to read in /etc/letsencrypt/live >> (now with fmonlinetester in group) but we should try it manually once and >> check. If it does change then we will need to re-add fmonlinetester in the >> group at end of cert-renew.sh. I crossed this read issue before as >> jleroux user, initially the dir was readeable w/o sudo and then not. Not >> sure if it's certbot or openssl which did that in my case. >> >> Also I don't think we need to care about change in >> /etc/letsencrypt/live/try.freemarker.apache.org/ If they are no change >> certificate.p12 will be >> the same, no worries. >> >> I think we should not show the "theKnownPassword" in the wiki page... >> >> What do you think? >> >> Jacques >> >> >> Le 19/05/2018 à 10:32, Daniel Dekany a écrit : >>> Now https works, and only the cron job and documenting things on the >>> cwiki is missing (the copy-paste cron script mostly, I guess). >>> >>> >>> Thursday, May 17, 2018, 7:47:20 PM, Daniel Dekany wrote: >>> >>>> Thursday, May 17, 2018, 3:05:02 PM, Jacques Le Roux wrote: >>>> >>>>> Le 17/05/2018 à 09:04, Jacques Le Roux a écrit : >>>>>> Le 16/05/2018 à 22:26, Jacques Le Roux a écrit : >>>>>>> When I read the content in my local Git repo it's commented out. I >>>>>>> guess I should manually change it on the VM and restart the app with >>>>>>> Gradle? >>>>>>> >>>>>>> As it's a bit late already, I let you handle this last part ;) >>>>>> OK I remember now that you documented the app restart at >>>>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation >>>>>> I'll do so now and will have a look at the code change for the renew >>>>>> >>>>>> Jacques >>>>>> >>>>> I have just changed the file according to my previous message, ie >>>>> modified to >>>>> keyStorePath: /etc/letsencrypt/live/certificate.p12 >>>>> keyStorePassword: HTTPDisUnnecessary >>>>> and also while at it (not sure we want that) >>>>> validateCerts: true >>>>> >>>>> But after setting the iptables for 443-8443 (v4 and v6), saving the >>>>> change and restarting the app it did not work: >>>>> >>>>> May 17 11:51:06 freemarker-vm systemd[1]: Stopped FreeMarker Online >>>>> Tester. >>>>> May 17 11:51:06 freemarker-vm systemd[1]: Started FreeMarker Online >>>>> Tester. >>>>> May 17 11:52:10 freemarker-vm java[14009]: >>>>> MultiException[java.lang.IllegalStateException: no valid keystore, >>>>> java.lang.IllegalStateException: no >>>> That was because the service had no right to read the parent directory >>>> of the p12 file. (Yeah, that error message is not very helpful...) I >>>> have fixed that. So now the only problem we have what I said in the >>>> other mail. And we will need the cron script... or maybe a systemd >>>> timer unit instead. >>>> >>>>> valid keystore, java.util.concurrent.RejectedExecutionException: >>>>> org.eclipse.jetty.io.Manag >>>>> May 17 11:52:10 freemarker-vm java[14009]: at >>>>> org.eclipse.jetty.server.Server.doStart(Server.java:382) >>>>> May 17 11:52:10 freemarker-vm java[14009]: at >>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) >>>>> May 17 11:52:10 freemarker-vm java[14009]: at >>>>> io.dropwizard.cli.ServerCommand.run(ServerCommand.java:53) >>>>> May 17 11:52:10 freemarker-vm java[14009]: at >>>>> io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:44) >>>>> May 17 11:52:10 freemarker-vm java[14009]: at >>>>> io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87) >>>>> May 17 11:52:10 freemarker-vm java[14009]: at >>>>> io.dropwizard.cli.Cli.run(Cli.java:78) >>>>> May 17 11:52:10 freemarker-vm java[14009]: at >>>>> io.dropwizard.Application.run(Application.java:93) >>>>> May 17 11:52:10 freemarker-vm java[14009]: at >>>>> org.apache.freemarker.onlinetester.dropwizard.FreeMarkerOnlineTester.main(FreeMarkerOnlineTester.java:43) >>>>> >>>>> So I commented out the HTTPS part >>>>> # # FOR PRODUCTION: >>>>> # - type: https >>>>> # port: 8443 >>>>> # keyStorePath: /etc/letsencrypt/live/certificate.p12 >>>>> # keyStoreType: PKCS12 >>>>> # keyStorePassword: HTTPDisUnnecessary >>>>> # validateCerts: true >>>>> and restarted the app >>>>> >>>>> Now http://try.freemarker.org/ works again, but no longer >>>>> http://try.freemarker.apache.org/ which is redirected to >>>>> https://try.freemarker.apache.org/ >>>>> I don't understand the redirect. Does have this changed before my change? >>>>> I don't know. >>>>> I have double-checked, thought I have not reverted the config yet, HTTPD >>>>> is no longer working. >>>>> Maybe it's due to the certificate (created for a.o) but I can't see >>>>> how DropWizard would now relate to it, since >>>>> keyStorePath: /etc/letsencrypt/live/certificate.p12 >>>>> and the whole HTTPS block, is commented out :/ >>>>> >>>>> I'll get back to that later... >>>>> >>>>> Jacques >>>>> >>>>> >> >> > > -- Thanks, Daniel Dekany
